2019/05/13

Renew SSL certificate from GoGetSSL for self hosted Gitlab Server

About

As one of our SSL Certificate will be expired soon, I need to renew such SSL certificate for my gitlab server. This is a blog about how to renew SSL certificate, which purchased from GoGetSSL, and installed them into Gitlab Server. Here is another related blogpost, which talks about certificates, from me in one or two years ago.

Renew From GoGetSSL

As steps for purchasing certificate are really creepy, I would like to mark up some notes here.
  • Login your administrative account in GoGetSSL
  • Locate your expired soon certificate
  • Click Start Renewal. They are text and kind of hidden in a bunch of messages.
  • Complete the bill process
  • Remember to click RENEW instead of NEW ORDER when submitting CSR FORM. Otherwise, your new certificate cannot get remaining days from your last certificate
  • Validate your information as guided in the website

Certificate zip

After completing steps in above section, you should get an email from GoGetSSL which includes a certificate zip for your installation. Below is a list from such zip file.
  • DOMAIN.ca-bundle
  • DOMAIN.crt

Install SSL certificate to the Gitlab Server

As there are some installation guides provided from GoGetSSL, you may be able to find the one you need if you are lucky enough. In my case, I am not :)
Below are steps for the installation
  • Get certificates listed above to the gitlab server
  • Concatenate ca-bundle and crt together
    • This step does not necessary if your certificate does not contain intermediate certificate
    • Please checkout my old blog if you are not sure what is intermediate certificate
    • If you do not concatenate them together, some browser (FIREFOX DAMN) may view your certificate is a bad certificate while some does not (CHROM ROCKS)
mv DOMAIN.crt dummy.crt
cat dummy.crt DOMAIN.ca-bundle > DOMAIN.crt
rm dummy.crt
  • Change certificate’s permission
chown root:root DOMAIN.crt
chmod 644 DOMAIN.crt
  • Override your original certificate in the gitlab server
mv DOMAIN.crt /etc/gitlab/ssl/ORIGINAL_CERT
  • Move the ca-bundle to your system certificate directory
    • These steps may be unnecessary
    • In my Ubuntu system, the system certificate directory is `/etc/ssl/certs
  • Compute the hash of ca-bundle for creating a symbolic link
  • Create a symbolic link for the system to read
    • The symbolic should ends with .0
mv DOMAIN.ca-bundle /etc/ssl/certs
openssl x509 -in DOMAIN.ca-bundle -hash -noout
SOME_OUTPUT
cd /etc/ssl/certs
ln -s DOMAIN.ca-bundle SOME_OUTPUT.0
  • Restart gitlab server to complete the certificate renewal process
 sudo gitlab-ctl restart

Useful debug commands

  • Verify the chain of certificate
 /opt/gitlab/embedded/bin/openssl verify -CApath /etc/ssl/certs/ DOMAIN.crt